GuardianUnivalle-Benito-Yucra 0.1.7__py3-none-any.whl → 0.1.9__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of GuardianUnivalle-Benito-Yucra might be problematic. Click here for more details.
- GuardianUnivalle_Benito_Yucra/detectores/detector_sql.py +77 -9
- {guardianunivalle_benito_yucra-0.1.7.dist-info → guardianunivalle_benito_yucra-0.1.9.dist-info}/METADATA +1 -1
- {guardianunivalle_benito_yucra-0.1.7.dist-info → guardianunivalle_benito_yucra-0.1.9.dist-info}/RECORD +6 -6
- {guardianunivalle_benito_yucra-0.1.7.dist-info → guardianunivalle_benito_yucra-0.1.9.dist-info}/WHEEL +0 -0
- {guardianunivalle_benito_yucra-0.1.7.dist-info → guardianunivalle_benito_yucra-0.1.9.dist-info}/licenses/LICENSE +0 -0
- {guardianunivalle_benito_yucra-0.1.7.dist-info → guardianunivalle_benito_yucra-0.1.9.dist-info}/top_level.txt +0 -0
|
@@ -1,9 +1,20 @@
|
|
|
1
1
|
import re
|
|
2
2
|
import json
|
|
3
3
|
import time
|
|
4
|
+
import logging
|
|
4
5
|
from typing import Tuple
|
|
5
6
|
from django.http import JsonResponse
|
|
6
7
|
from django.utils.deprecation import MiddlewareMixin
|
|
8
|
+
from django.conf import settings
|
|
9
|
+
from django.core.signing import TimestampSigner, BadSignature, SignatureExpired
|
|
10
|
+
|
|
11
|
+
# ---------- Configuración de logging ----------
|
|
12
|
+
logger = logging.getLogger("sqlidefense")
|
|
13
|
+
logger.setLevel(logging.INFO)
|
|
14
|
+
handler = logging.StreamHandler() # Por consola; en producción puede ser FileHandler
|
|
15
|
+
formatter = logging.Formatter("%(asctime)s - %(levelname)s - %(message)s")
|
|
16
|
+
handler.setFormatter(formatter)
|
|
17
|
+
logger.addHandler(handler)
|
|
7
18
|
|
|
8
19
|
# ---------- Patrones de ataques SQL ----------
|
|
9
20
|
PATTERNS = [
|
|
@@ -34,14 +45,28 @@ PATTERNS = [
|
|
|
34
45
|
TEMP_BLOCK = {} # {ip: timestamp}
|
|
35
46
|
BLOCK_DURATION = 30 # segundos
|
|
36
47
|
|
|
48
|
+
# ---------- Configuración para bypass ----------
|
|
49
|
+
BYPASS_MAX_AGE = getattr(settings, "SQLI_BYPASS_MAX_AGE", 30) # segundos
|
|
50
|
+
BYPASS_HEADER = "HTTP_X_SQLI_BYPASS"
|
|
51
|
+
|
|
52
|
+
# --- JWT soporte (si simplejwt está instalado) ---
|
|
53
|
+
try:
|
|
54
|
+
from rest_framework_simplejwt.backends import TokenBackend
|
|
55
|
+
|
|
56
|
+
SIMPLEJWT_AVAILABLE = True
|
|
57
|
+
except Exception:
|
|
58
|
+
SIMPLEJWT_AVAILABLE = False
|
|
59
|
+
|
|
37
60
|
|
|
38
61
|
# ---------- Helpers ----------
|
|
39
62
|
def extract_payload_text(request) -> str:
|
|
40
63
|
"""Extrae todo el contenido que podría contener inyecciones"""
|
|
41
64
|
parts = []
|
|
65
|
+
|
|
42
66
|
# Query params
|
|
43
67
|
if request.META.get("QUERY_STRING"):
|
|
44
68
|
parts.append(request.META.get("QUERY_STRING"))
|
|
69
|
+
|
|
45
70
|
# Body
|
|
46
71
|
try:
|
|
47
72
|
content_type = request.META.get("CONTENT_TYPE", "")
|
|
@@ -52,9 +77,11 @@ def extract_payload_text(request) -> str:
|
|
|
52
77
|
parts.append(request.body.decode("utf-8", errors="ignore"))
|
|
53
78
|
except Exception:
|
|
54
79
|
pass
|
|
80
|
+
|
|
55
81
|
# Headers
|
|
56
82
|
parts.append(request.META.get("HTTP_USER_AGENT", ""))
|
|
57
83
|
parts.append(request.META.get("HTTP_REFERER", ""))
|
|
84
|
+
|
|
58
85
|
return " ".join([p for p in parts if p])
|
|
59
86
|
|
|
60
87
|
|
|
@@ -71,12 +98,50 @@ def get_client_ip(request):
|
|
|
71
98
|
"""Obtiene la IP del cliente"""
|
|
72
99
|
x_forwarded_for = request.META.get("HTTP_X_FORWARDED_FOR")
|
|
73
100
|
if x_forwarded_for:
|
|
74
|
-
ip = x_forwarded_for.split(",")[0]
|
|
101
|
+
ip = x_forwarded_for.split(",")[0].strip()
|
|
75
102
|
else:
|
|
76
|
-
ip = request.META.get("REMOTE_ADDR")
|
|
103
|
+
ip = request.META.get("REMOTE_ADDR", "0.0.0.0")
|
|
77
104
|
return ip
|
|
78
105
|
|
|
79
106
|
|
|
107
|
+
def is_valid_jwt(request) -> bool:
|
|
108
|
+
"""Valida si la petición trae un JWT válido en Authorization: Bearer <token>"""
|
|
109
|
+
if not SIMPLEJWT_AVAILABLE:
|
|
110
|
+
return False
|
|
111
|
+
auth = request.META.get("HTTP_AUTHORIZATION", "")
|
|
112
|
+
if not auth or not auth.startswith("Bearer "):
|
|
113
|
+
return False
|
|
114
|
+
token = auth.split(" ", 1)[1].strip()
|
|
115
|
+
try:
|
|
116
|
+
tb = TokenBackend(
|
|
117
|
+
algorithm=getattr(settings, "SIMPLE_JWT", {}).get("ALGORITHM", "HS256"),
|
|
118
|
+
signing_key=getattr(settings, "SIMPLE_JWT", {}).get(
|
|
119
|
+
"SIGNING_KEY", settings.SECRET_KEY
|
|
120
|
+
),
|
|
121
|
+
)
|
|
122
|
+
tb.decode(token, verify=True)
|
|
123
|
+
return True
|
|
124
|
+
except Exception:
|
|
125
|
+
return False
|
|
126
|
+
|
|
127
|
+
|
|
128
|
+
def is_valid_signed_bypass(request) -> bool:
|
|
129
|
+
"""Valida si la petición trae un token firmado válido y no expirado"""
|
|
130
|
+
signed = request.META.get(BYPASS_HEADER, "")
|
|
131
|
+
if not signed:
|
|
132
|
+
return False
|
|
133
|
+
signer = TimestampSigner(settings.SECRET_KEY)
|
|
134
|
+
try:
|
|
135
|
+
signer.unsign(signed, max_age=BYPASS_MAX_AGE)
|
|
136
|
+
return True
|
|
137
|
+
except SignatureExpired:
|
|
138
|
+
logger.info("Bypass token expirado")
|
|
139
|
+
return False
|
|
140
|
+
except BadSignature:
|
|
141
|
+
logger.info("Bypass token inválido")
|
|
142
|
+
return False
|
|
143
|
+
|
|
144
|
+
|
|
80
145
|
# ---------- Middleware ----------
|
|
81
146
|
class SQLIDefenseStrongMiddleware(MiddlewareMixin):
|
|
82
147
|
def process_request(self, request):
|
|
@@ -85,6 +150,7 @@ class SQLIDefenseStrongMiddleware(MiddlewareMixin):
|
|
|
85
150
|
# Revisa si la IP está temporalmente bloqueada
|
|
86
151
|
if client_ip in TEMP_BLOCK:
|
|
87
152
|
if time.time() - TEMP_BLOCK[client_ip] < BLOCK_DURATION:
|
|
153
|
+
logger.warning(f"IP bloqueada temporalmente: {client_ip}")
|
|
88
154
|
return JsonResponse(
|
|
89
155
|
{
|
|
90
156
|
"detail": "Acceso temporalmente bloqueado por actividad sospechosa",
|
|
@@ -95,6 +161,13 @@ class SQLIDefenseStrongMiddleware(MiddlewareMixin):
|
|
|
95
161
|
else:
|
|
96
162
|
del TEMP_BLOCK[client_ip]
|
|
97
163
|
|
|
164
|
+
# --- Nuevo: bypass por JWT válido o token firmado válido ---
|
|
165
|
+
if is_valid_jwt(request):
|
|
166
|
+
return None
|
|
167
|
+
if is_valid_signed_bypass(request):
|
|
168
|
+
return None
|
|
169
|
+
|
|
170
|
+
# --- Detección de SQLi ---
|
|
98
171
|
text = extract_payload_text(request)
|
|
99
172
|
if not text:
|
|
100
173
|
return None
|
|
@@ -103,14 +176,8 @@ class SQLIDefenseStrongMiddleware(MiddlewareMixin):
|
|
|
103
176
|
if flagged:
|
|
104
177
|
# Bloquea temporalmente la IP
|
|
105
178
|
TEMP_BLOCK[client_ip] = time.time()
|
|
106
|
-
# <-- Aquí puedes agregar la impresión o el log -->
|
|
107
|
-
print("IP detectada:", client_ip)
|
|
108
|
-
# O usando logging
|
|
109
|
-
import logging
|
|
110
|
-
|
|
111
|
-
logger = logging.getLogger(__name__)
|
|
112
179
|
logger.warning(
|
|
113
|
-
f"Intento de ataque detectado desde IP: {client_ip}, detalles: {matches}"
|
|
180
|
+
f"Intento de ataque detectado desde IP: {client_ip}, detalles: {matches}, payload: {text}"
|
|
114
181
|
)
|
|
115
182
|
return JsonResponse(
|
|
116
183
|
{
|
|
@@ -119,4 +186,5 @@ class SQLIDefenseStrongMiddleware(MiddlewareMixin):
|
|
|
119
186
|
},
|
|
120
187
|
status=403,
|
|
121
188
|
)
|
|
189
|
+
|
|
122
190
|
return None
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.4
|
|
2
2
|
Name: GuardianUnivalle-Benito-Yucra
|
|
3
|
-
Version: 0.1.
|
|
3
|
+
Version: 0.1.9
|
|
4
4
|
Summary: Middleware y detectores de seguridad (SQLi, XSS, CSRF, DoS, Keylogger) para Django/Flask
|
|
5
5
|
Author-email: Andres Benito Calle Yucra <benitoandrescalle035@gmail.com>
|
|
6
6
|
License: MIT
|
|
@@ -7,14 +7,14 @@ GuardianUnivalle_Benito_Yucra/criptografia/kdf.py,sha256=_sbepEY1qHEKga0ExrX2WRg
|
|
|
7
7
|
GuardianUnivalle_Benito_Yucra/detectores/detector_csrf.py,sha256=EAYfLkHuxGC5rXSu4mZJ4yZDCbwBpTX8xZWGKz7i5wA,692
|
|
8
8
|
GuardianUnivalle_Benito_Yucra/detectores/detector_dos.py,sha256=lMWmCw6nccCEnek53nVjpoBCeiBqLdrSXxqRuI7VP2I,696
|
|
9
9
|
GuardianUnivalle_Benito_Yucra/detectores/detector_keylogger.py,sha256=rEDG-Q_R56OsG2ypfHVBK7erolYjdvATnAxB3yvPXts,729
|
|
10
|
-
GuardianUnivalle_Benito_Yucra/detectores/detector_sql.py,sha256=
|
|
10
|
+
GuardianUnivalle_Benito_Yucra/detectores/detector_sql.py,sha256=BG2XaxgvQK5c6X5Mdz8g4dthuSvC8NMMiDt03MknoJQ,6346
|
|
11
11
|
GuardianUnivalle_Benito_Yucra/detectores/detector_xss.py,sha256=66V_xuxNOZEwluvWOT4-6pk5MJ3zWE1IwcVkBl7MZSg,719
|
|
12
12
|
GuardianUnivalle_Benito_Yucra/middleware_web/middleware_web.py,sha256=23pLLYqliUoMrIC6ZEwz3hKXeDjWfHSm9vYPWGmDDik,495
|
|
13
13
|
GuardianUnivalle_Benito_Yucra/mitigacion/limitador_peticion.py,sha256=ipMOebYhql-6mSyHs0ddYXOcXq9w8P_IXLlpiIqGncw,246
|
|
14
14
|
GuardianUnivalle_Benito_Yucra/mitigacion/lista_bloqueo.py,sha256=6AYWII4mrmwCLHCvGTyoBxR4Oasr4raSHpFbVjqn7d8,193
|
|
15
15
|
GuardianUnivalle_Benito_Yucra/puntuacion/puntuacion_amenaza.py,sha256=Wx5XfcII4oweLvZsTBEJ7kUc9pMpP5-36RfI5C5KJXo,561
|
|
16
|
-
guardianunivalle_benito_yucra-0.1.
|
|
17
|
-
guardianunivalle_benito_yucra-0.1.
|
|
18
|
-
guardianunivalle_benito_yucra-0.1.
|
|
19
|
-
guardianunivalle_benito_yucra-0.1.
|
|
20
|
-
guardianunivalle_benito_yucra-0.1.
|
|
16
|
+
guardianunivalle_benito_yucra-0.1.9.dist-info/licenses/LICENSE,sha256=5e4IdL542v1E8Ft0A24GZjrxZeTsVK7XrS3mZEUhPtM,37
|
|
17
|
+
guardianunivalle_benito_yucra-0.1.9.dist-info/METADATA,sha256=PxiYZRLFPPf_PRvcBC_PmfPt-IYkGAMQSUqB0df89_g,1892
|
|
18
|
+
guardianunivalle_benito_yucra-0.1.9.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
|
|
19
|
+
guardianunivalle_benito_yucra-0.1.9.dist-info/top_level.txt,sha256=HTWfZM64WAV_QYr5cnXnLuabQt92dvlxqlR3pCwpbDQ,30
|
|
20
|
+
guardianunivalle_benito_yucra-0.1.9.dist-info/RECORD,,
|
|
File without changes
|
|
File without changes
|
|
File without changes
|